Description
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the HTTP POST Request Handler at /viva/update.php of the Cyber-III Student-Management-System. Manipulating the Name argument bypasses authorization checks, allowing an attacker to modify or potentially create entries without proper privileges. The resulting unauthorized actions can compromise data integrity and confidentiality of student records. The weakness is classified as improper authorization (CWE-266) and insecure credential management (CWE-285).

Affected Systems

The affected product is Cyber‑III Student‑Management‑System, with the vulnerability present up to the commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. Because the project uses a rolling release model, no specific version numbers are available, meaning all iterations before a patch remain vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the exploit has been publicly disclosed, making it likely that attackers can employ known techniques. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, but the lack of an authorization guard and the remote nature of the attack vector via HTTP POST raise the risk of exploitation. In practice, an attacker controlling the Name parameter can trigger the bug from any network position that can reach the application.

Generated by OpenCVE AI on April 6, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the project repository and vendor website for an updated release that addresses the authorization issue.
  • If no fix is released, restrict external network access to the Student‑Management‑System and isolate the service from untrusted hosts.
  • Monitor public advisories and vulnerability databases for new patches or workarounds.
  • Implement web‑application firewall rules to detect and block unexpected or malformed Name parameters until a patch is available.

Generated by OpenCVE AI on April 6, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Cyber-iii
Cyber-iii student-management-system
Vendors & Products Cyber-iii
Cyber-iii student-management-system

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title Cyber-III Student-Management-System HTTP POST Request update.php improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cyber-iii Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T18:32:11.791Z

Reserved: 2026-04-05T20:36:07.502Z

Link: CVE-2026-5642

cve-icon Vulnrichment

Updated: 2026-04-06T18:32:03.730Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T10:16:02.760

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:59Z

Weaknesses